ACK: [SRU][M][PATCH 0/1] CVE-2024-26803

Stefan Bader stefan.bader at canonical.com
Fri May 10 12:44:36 UTC 2024 

On 02.05.24 00:09, Bethany Jamison wrote:
> [Impact]
> 
>   In the Linux kernel, the following vulnerability has been resolved:
> 
>   net: veth: clear GRO when clearing XDP even when down
> 
>   veth sets NETIF_F_GRO automatically when XDP is enabled,
>   because both features use the same NAPI machinery.
> 
>   The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which
>   is called both on ndo_stop and when XDP is turned off.
>   To avoid the flag from being cleared when the device is brought
>   down, the clearing is skipped when IFF_UP is not set.
>   Bringing the device down should indeed not modify its features.
> 
>   Unfortunately, this means that clearing is also skipped when
>   XDP is disabled _while_ the device is down. And there's nothing
>   on the open path to bring the device features back into sync.
>   IOW if user enables XDP, disables it and then brings the device
>   up we'll end up with a stray GRO flag set but no NAPI instances.
> 
>   We don't depend on the GRO flag on the datapath, so the datapath
>   won't crash. We will crash (or hang), however, next time features
>   are sync'ed (either by user via ethtool or peer changing its config).
>   The GRO flag will go away, and veth will try to disable the NAPIs.
>   But the open path never created them since XDP was off, the GRO flag
>   was a stray. If NAPI was initialized before we'll hang in napi_disable().
>   If it never was we'll crash trying to stop uninitialized hrtimer.
> 
>   Move the GRO flag updates to the XDP enable / disable paths,
>   instead of mixing them with the ndo_open / ndo_close paths.
> 
> [Fix]
> 
> Mantic:	Clean cherry-pick from linux-6.6.y
> Jammy:	pending
> Focal:	not-affected
> Bionic: not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the veth (virtual ethernet) driver, an
> issue with this fix would be visable to the user via a system crash.
> 
> Jakub Kicinski (1):
>    net: veth: clear GRO when clearing XDP even when down
> 
>   drivers/net/veth.c | 35 +++++++++++++++++------------------
>   1 file changed, 17 insertions(+), 18 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240510/04ba8ed6/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240510/04ba8ed6/attachment-0001.sig>

More information about the kernel-team mailing list